Using Opalis & SCOM To Protect Your Domain Admin Security Group

In a previous post, I described how you can use SCOM to create a custom alert that watches the security group on your DC’s for changes to the “Domain Admins” security group.

I mentioned in that post that I was using this as a backdrop for an Opalis demo that uses that alert to start a workflow that disables the user account, removes it from the domain admins group, populates a ‘notes’ field in AD with information about why the account was disabled, clears the alert in SCOM and finally sends an Exchange email with the details to the administrator.

Folks have asked for more details on the Opalis workflow behind this – so here you go.

You can download the OIS file here and import into Opalis to see what I did.

Let’s get started…

First off, here’s the workflow I use:


Here are the steps:

1) Monitor Alert:  We’re watching for any NEW alerts in SCOM that contain the string “DAACESS” in the CustomField2 property (there's more detail on this in the blog post I reference above)


2) Query XML:  We need to query the description CONTEXT from our SCOM alert to extract the CN name for the offending user account that was added to the domain admins group


*You can find what you want to query from by clicking the ‘alert context’ tab on the SCOM alert.  In this case we want the full CN of the user account so we use “MemberName”.


3) Disable User:  Using the result from the XML query, we’re disabling the user account


4) Remove User From Group:  Next, we remove the offending account from the domain admins group.  In my case, I just setup a variable for the domain admins group – you can pull that via XML as well if you want.


* Here’s my detail for the ‘group’ variable


5) Update User: We can update the “notes” field in the AD account to put some detail around why the account was disabled (there are other options you can pick as well if you want to update other properties – just use the ‘select fields’ to choose)


6) Update Alert:  Now, we’re going to go ahead and close the alert in SCOM since we’ve successfully remediated this issue.  Alternatively,  you could branch here if you had a failure and send an email or alert in some other fashion (or start another workflow)


7) Send Exchange Email:  Finally, we’re going to send an email to the administrator with all the details


* You’ll need to have an Outlook profile configured to send Exchange email – on the connect tab, you’ll specify the name of the profile you’ll use.  Also, if you want proper formatting (line breaks, etc…) make sure you use ASCII formatting


This sends the following email:


That should get it done.  Enjoy!

Comments (2)

  1. Ron says:

    Interesting post, the Query however seems to not work for scor/scom 2012 R2 //Data[@Name='MemberName' ] retunrs empty when executing it? Has anyone excountered this and knows a good resolution?

  2. REN4 says:

    Interesting post, I seem to get an error however. The event get picked up nicely, but when I Query XML and try to get {Query result from "Query XML"} it is Always empty, have you ever encountered this? Orchestrator 2012 R2 and SCOM 2012 R2

Skip to main content